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ABSTRACT 


ARINC  Research  Corporation  conducted  a  reliability  review  and  analysis  program  to 
provide  the  U.S.  Army  Mobility  Equipment  Research  and  Development  Center  with  an 
evaluation  of  the  failure  modes  and  effects  and  a  quantitative  reliability  prediction  for  two 
manufacturers’  proposed  Open-Cycle  Fuel-Cell  Power  Plant  systems.  The  failure  modes  and 
effects  analyses  produced  recommendations  concerning  the  design  adequacy  and  ultimate 
maintainability  of  the  proposed  systems.  Historical  failure-rate  data  were  compiled,  and  a 
reliability-prediction  mathematical  model  was  developed  for  each  manufacturer’s  system.  A 
computer  program  was  developed  to  exercise  this  model,  and  reliability  predictions  were 
made  for  the  two  systems  for  different  environmental  conditions. 
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FOREWORD 


This  report  was  prepared  by  ARINC  Research  Corporation  for  the  U.S.  Army  Mobility 
Equipment  Center,  Fort  Belvoir,  Virginia,  under  Contract  DAAK01-70-D-4142.  Its  purpose 
is  to  provide  a  quantitative  reliability  prediction  of  the  Open-Cycle  Fuel-Cell  Power  Plants 
being  developed  by  Engelhard  Industries  and  Pratt  and  Whitney  Aircraft  Corporation. 

ARINC  Research  Corporation  wishes  to  express  its  thanks  to  Mr.  M.  Collins  of 
Engelhard  Industries  and  Mr.  T.  Schiller  of  Pratt  and  Whitney  Aircraft  Corporation  for  their 
excellent  cooperation  during  the  conduct  of  this  program. 
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SUMMARY 


RELIABILITY  PREDICTIONS 

The  results  of  the  reliability  predictions  made  for  the  Engelhard  Industries  and  Pratt 
and  Whitney  Aircraft  Open-Cycle  Fuel-Cell  designs  are  summarized  as  follows: 


Environment 

Predicted  Reliability* 

Engelliard 

Pratt  &  Whitney 

Laboratory 

.9540 

.9130 

Portable  Ground 

.9185 

.8189 

Tracked  Vehicle 

.7870 

.6828 

’“Probability  of  completing  24-hour  operation  without  failure. 

The  analyses  conducted  in  this  study  indicate  that  only  the  Engelhard  design  meets  the 
reliability  goal  of  95  percent.  If  Pratt  and  Whitney  substituted  a  nickel-cadmium  secondary 
battery  for  a  silver-zinc  battery,  their  proposed  design  would  also  meet  the  goal.  This  study, 
however,  was  based  on  the  contractor’s  tentative  design  midway  through  Phase  I.  Certain 
component  changes  could  result  in  higher  reliability. 

ARINC  Research  believes  that  currently  the  design  is  not  final  enough  and  there  is  not 
enough  experience  on  the  system  or  its  components  to  determine  an  absolute  value  for 
reliability.  For  the  purpose  of  comparing  the  two  manufacturers’  designs,  the  reliability 
predictions  made  in  this  study  are  adequate.  They  are,  however,  inadequate  for  oomparison 
against,  another  power-plant  technology.  In  addition,  because  the  open-cycle  fuel  cell  is  in  an 
early  stage  of  development,  it  was  not  possible  to  obtain  data  that  would  permit 
determining  the  confidence  levels  on  the  computed  reliability  values. 


CONCLUSIONS  AND  RECOMMENDATIONS 

The  conclusions  and  recommendations  resulting  from  this  study  are  summarized  a« 
follows: 

•  The  Engelhard  Industries  design  shows  a  higher  reliability  than  the  pratt  and  Whitney 
Aircraft  design.  If  P&WA  followed  the  recommendation  to  use  a  nickel-cadmium 
secondary  battery  in  place  of  a  silver-zim  br^tery,  the  P&WA  design  would  show  the 
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slightly  higher  reliability.  ARINC  Research  believes  that  the  weight  penalty  involved 
in  using  the  nickel-cadmium  battery  rather  than  the  silver-zinc  battery  is  compen¬ 
sated  for  by  the  increased  reliability  and  is  also  mitigated  by  the  USAMERDC 
decision  to  eliminate  the  fuel  tank  from  the  design. 

The  most  prevalent  failure  mode  identified  in  the  Failure  Mode  and  Effects  Analysis 
was  leakage,  which  varied  in  its  effects  from  critical  to  minor.  Because  this  mode  can 
occur  at  a  great  number  of  points  in  the  system,  a  comprehensive  leakage 
specification  should  be  prepared  and  imposed  on  every'  new  power  plant  and  on  every 
power  plant  that  is  rebuilt. 

Some  provisions  should  be  made  for  identifying  the  components  or  subsystems  of  the 
power  plant  that  have  failed.  There  are  no  monitoring  devices  for  either  system 
design  that  would  allow  maintenance  personnel  to  pinpoint  the  cause  of  cell-output 
failure.  There  are  many  components  in  the  subsystems  whose  failure  could  result  in 
cell-output  failure.  Isolating  the  cause  is  currently  a  trial-and-error  task. 

The  fuel  solenoid  valve  in  the  Engelhard  design  appears  to  serve  no  essential  purpose. 
Since  its  failure  to  open  would  preclude  fuel-cell  operation,  it  should  be  eliminated. 
A  manually  operated  valve  could  be  substituted  to  provide  for  servicing  and  safety. 
Consideration  should  also  be  given  to  redesigning  the  Engelhard  system  to  use  only  a 
single  fuel  pump;  this  would  reduce  the  pump  failure  rate  by  one-half. 

It  is  recommended  that  another  reliability  and  availability  prediction  of  the 
Open-Cycle  Fuel-Cell  Power  Plant  be  performed  before  the  Advanced  Development 
Model  (ADM)  is  completed.  This  would  update  the  prediction  made  in  this  study  and 
permit  the  use  of  operational  and  test  data  accumulated  on  the  system  and  its 
components.  In  addition,  the  design  of  the  electronic  systems  should  be  completed 
by  that  time,  which  would  permit  a  more  precise  prediction  than  was  made  in  this 
study. 
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CHAPTER  ONE 


INTRODUCTION 


Under  Contract  DAAK01-70-D-4142  to  the  U.S.  Army  Mobility  Equipment  Command, 
ARINC  Research  evaluated  the  reliability  of  two  Open-Cycle  Fuel-Cell  Power  Plants  under 
development  for  the  Electrotechnology  Department  at  the  U.S.  Army  Mobility  Equipment 
Research  and  Development  Center  (USAMERDC). 

The  purpose  of  these  evaluations  was  to  make  quantitative  reliability  predictions  for  the 
two  candidate  configurations  and  to  provide  USAMERDC  with  the  basic  tools  for 
performing  future  reliability  analyses.  The  following  tasks  were  performed  for  each 
configuration: 

•  Review  available  information  on  the  open-cycle  fuel-cell  power  plant  to  establish 
baseline  data 

'  Identify  a  representative  mission  and  define  failure 

•  Perform  a  failure  modes  and  effects  analysis 

•  Develop  a  reliability-prediction  model  at  the  major-component  level  that  is  flexible 
enough  to  permit  configuration  changes  and  the  use  of  various  types  of  failure 
distributions,  and  to  determine  sensitivity  to  input  data 

•  Perform  a  reliability  prediction  for  the  two  candidate  systems  in  the  anticipated 
operating  environments  and  for  a  hypothetical  system  with  idealized  characteristics 

•  Develop  an  estimate  of  the  mean  active-repair  times  and  availabilities  for  the 
candidate  systems 

•  Identify  the  functional  level  of  maintenance 

This  report  presents  a  background  discussion  and  description  of  the  candidate  systems, 
a  failure  modes  and  effects  analysis  for  each  system,  the  reliability-prediction  model  used 
and  the  predictions  resulting  from  its  use,  and  the  conclusions  and  recommendations 
resulting  from  the  study. 
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CHAPTER  TWO 


BACKGROUND 


2.1  GENERAL 

The  U.S.  Army  is  currently  conducting  a  technical  evaluation  of  silent  ground-power 
systems.  The  Open-Cycle  Fuel-Cell  Power  Plant,  designed  by  USAMERDC,  is  one  of  the 
candidate  systems.  Two  contracts  to  develop  an  Open-Cycle  Fuel-Cell  Power  Plant  were 
awarded  by  USAMERDC.  One  was  awarded  to  Engelhard  Industries  of  Newark,  New  Jersey, 
and  the  other  to  Pratt  and  Whitney  Aircraft  of  East  Hartford,  Connecticut.  The  contracts 
called  for  the  development  of  a  system  in  accordance  with  “Purchase  Description  for 
Open-Cycle  Fuel-Cell  Power  Plant,  Direct  Current,  1.5  Kilowatt,”  dated  23  January  1970. 

The  Purchase  Description  outlined  the  specifications  for  the  development  of  an 
Advanced  Development  Model  (ADM)  Open-Cycle  Fuel-Cell  Power  Plant  set.  The  set  is  to 
consist  of  a  phosphoric-acid  fuel-cell  subsystem  and  fuel-conditioner  subsystem  with  as 
many  of  the  following  items  as  required:  voltage  regulator,  controls,  fuel  tank,  batteries, 
battery-charging  system,  winterization  equipment,  weather-resistant  housing,  rigid  skid  base, 
and  other  devices  as  required  to  achieve  a  complete  Open-Cycle  Fuel-Cell  Power  Plant.  (The 
requirement  for  a  fuel  tank  was  subsequently  deleted  by  USAMERDC.) 

Engelhard  Industries  and  Pratt  and  Whitney  Aircraft  have  been  developing  a  1.5-kW 
breadboard  power  plant  and  will  submit  a  design  for  a  1.5-kW  ADM  power  plant  as  part  of 
the  Phase  I  requirements.  USAMERDC  will  evaluate  the  proposed  ADM  design  in  order  to 
determine  which  contractor  is  to  be  awarded  the  Phase  II  contract  for  the  development  of 
the  family  of  fuel-cell  power  plants.  Phase  II  requires  deliveries  of  1.5-kW  ADM  power 
plants. 


2.2  SYSTEM  REQUIREMENTS 

The  salient  features  of  the  ADM  Purchase  Description  are  the  noise,  weight,  volume, 
and  starting  requirements.  During  operation,  the  generator  set  shall  be  inaudible  in  any 
direction  at  a  distance  of  100  meters.  Its  weight,  exclusive  of  fuels,  shall  be  150  pounds  or 
less,  and  its  volume  shall  be  less  than  eight  cubic  feet.  Without  a  winterization  system,  the 
set  shall  be  capable  of  starting  within  15  minutes;  and  with  winterization  equipment,  it  must 
be  capable  of  starting  within  30  minutes.  A  minimum  operating  time  of  1500  hours  (5000 
hours  desired)  without  servicing,  maintenance,  overhaul,  or  replacement  of  parts  other  than 
routine  servicing  and  periodic  adjustment  is  required.  The  set  shall  have  a  reliability  of  95 
percent  with  a  confidence  level  of  90  percent  for  a  mission  duration  of  24  hours,  with  an 
inherent  availability  of  98  percent.  The  set  must  also  be  capable  of  operating  with  combat 
fuels. 


MtECtlM  PACE  BUNK 


2.3  SYSTEM  DESCRIPTION 


The  open-cycle  fuel  cell  is  an  indirect  hydrocarbon-air  fuel-cell  system  tailored 
specifically  for  low-power  tactical  uses.  The  process  schematic,  Figure  1,  shows  this  system. 
A  regenerative  thermo -catalytic  cracker  converts  the  fuel  (gasoline,  kerosene,  etc.)  to  a 
hydrogen-rich  gas,  which  in  tum  is  electrochemicaUy  oxidized  in  a  fuel  cell  to  produce 
electrical  power.  The  hydrogen-generation  and  fuel-cell  subsystems  are  described  below. 


Figure  1.  SCHEMATIC,  OPEN-CYCLE  FUEL-CELL  POWER  PLANT 


The  open-cycle  system  has  no  closed  process  loops,  which  gives  this  system  its  name.  As 
shown  in  Figure  1,  the  fuel  passes  through  the  cracker  to  the  cell,  where  most  of  the 
hydrogen  is  consumed  and  the  excess  and  diluents  are  exhausted.  The  primary  control  fluid 
for  each  subsystem  is  air.  Each  subsystem  has  its  own  air  supply  and  control  operating  in 
total  independence  of  each  other.  One  feedback  control  is  desirable,  however,  to  throttle 
the  power  plant  by  matching  fuel  flow  rate  to  hydrogen  demand.  Unlike  earlier  closed-loop 
systems,  no  special  control  logic  is  required  to  stabilize  the  system  during  transient-load 
conditions. 

2.3.1  Hydrogen-Generation  Subsystem 

In  regenerative  thermo-catalytic  cracking,  the  hydrocarbon  fuel  passes  through  a  hot 
catalyst  bed,  cracking  to  hydrogen  and  carbon.  The  carbon  is  retained  by  the  catalyst,  and 
the  endothermic  cracking  energy  is  supplied  by  the  sensed  heat  change  of  the  bed.  Before 
the  bed  plugs  with  carbon  or  its  temperature  drops  below  an  efficient  cracking  level,  the  fuel 
flow  is  switched  to  a  second  bed  so  that  hydrogen  production  is  not  interrupted.  The  first 
bed  is  regenerated  by  burning  the  stored  carbon,  which  reheats  the  catalyst  bed.  The  process 
streams  are  switched  at  approximately  three-minute  intervals,  depending  on  bed  size  and 
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fuel  flow  rates.  Bed-temperature  variations  during  a  complete  cracking-regeneration  cycle 
are  usually  maintained  between  limits  of  1500°  and  1900°  F. 

The  product  gas  compositions  and  flow  rates  for  a  complete  cycle  are  shown  in  Figure 
2.  The  hydrogen  produced  represents  approximately  88  percent  of  that  contained  in  the 
combat  gasoline.  The  remaining  hydrogen  is  formed  into  methane  plus  small  amounts  of 
ethane,  benzene,  and  water,  and  is  not  usable.  The  product  composition  and  yield  for 
kerosene-type  fuels  is  similar. 

The  bum-out-cycle  gas  composition  shown  in  Figure  2  represents  the  minimum  air  flow 
found  necessary  for  carbon  removal,  equal  to  an  average  combustion  product  of  equal 
volumes  of  CO  and  CO] .  The  heat  of  combustion  for  this  product  exceeds  the 
cracking-energy  requirement.  With  ambient  air  used  for  combustion  and  exhausted  at  bed 
temperature,  the  heat  of  combustion  is  more  than  twice  that  required  for  cracking.  At  high 
fuel-flow  rates,  burning  the  carbon  to  less  than  stoichiometric  C02  minimizes  the  bed’s 
cooling  requirement.  Conversely,  at  low  fuel-input  rates  representative  of  part-load 
power-plant  operation,  a  proportionally  higher  air  flow  completes  the  combustion  to  C02 , 
releasing  additional  heat  to  offset  thermal  losses. 

The  most  important  aspect  of  the  regenerative  cracking  process  for  military  use  is  its 
performance  using  low-grade,  impure  fuels,  such  as  combat  gasoline.  In  the  regenerative 
cracker,  lead  is  removed  from  the  bed  during  the  burn-out  in  much  the  same  way  as  in  an 
engine.  Sulfur  in  the  fuel  is  retained  on  the  catalyst  during  the  hydrogen-generation  portion 
of  the  cycle  and  is  then  burned  off  by  the  air.  The  nickel  catalyst  favors  reduction  of 
hydrogen  sulfide  in  the  reducing  atmosphere  of  the  cracking  cycle,  while  the  formation  of 
sulfur  dioxide  is  favored  thermodynamically  when  oxygen  is  present. 

2.3.2  Fuel-Cell  Subsystem 

The  fuel-cell  subsystem  is  based  on  phosphoric-acid-electrolyte  fuel-cell  technology.  A 
phosphoric-acid  fuel  cell  has  two  characteristics  that  make  it  desirable  in  this  application: 

1.  It  is  thermally  stable  and  nonreactive  with  any  component  in  air  or  in  a 
hydrogen-product  stream  derived  from  logistic  fuels. 

2.  It  is  usable  at  moderate  temperatures  —  260°  to  300°  F  —  temperatures  at  which 
carbon  monoxide  is  not  strongly  absorbed  on  the  anode  catalyst  and  at  which  the 
fuel-cell  waste  heat  can  be  removed  by  the  process  air  stream. 

These  two  characteristics  benefit  the  power  plant  because  they  minimize  subsystem 
interface  with  the  fuel  conditioner  and  permit  singularly  simple  fuel-cell-subsystem  control. 

The  hydrogen-generator  product  stream,  dilute  in  hydrogen  and  containing  carbon 
monoxide,  can  be  used  by  this  fuel  cell  without  purification.  Similarly,  the  reactant  air 
needs  no  pretreatment. 

The  process-control  requirements  for  the  phosphoric-acid-electrolyte  fuel  cell  (reactant 
oxygen  supply,  product  water  removal,  thermal  control)  are  simple.  The  water  produced  in 
any  air-breathing  fuel  cell  is  removed  by  evaporation  into  the  reactant  air  stream.  With  other 
aqueous  electrolytes,  the  air  stream  must  be  carefully  proportioned  to  electrical-current 
drain  to  prevent  either  electrolyte  dilution  or  concentration  beyond  narrow  limits. 
Anhydrous  phosphoric  acid  at  250°  to  300°  F.  retains  an  adequate  ionic  conductivity; 
therefore,  there  is  no  constraint  on  maximum  air  flow  over  the  cathode  to  prevent  excessive 
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electrolyte  concentration.  An  air-flow  rate  high  enough  to  remove  all  the  cells’  waste  heat 
will  automatically  provide  the  oxygen  for  the  electrochemical  reaction  and  remove  all 
product  water  without  disabling  the  cell. 

Phosphoric  acid  has  two  major  electrochemical  deficiencies  in  comparison  with  other 
fuel-cell  electrolytes:  first,  it  has  by  far  the  poorest  conductivity,  which  limits  the  power 
capability  of  a  unit  of  cell  area  because  of  internal  resistance  losses;  second,  its  corrosiveness 
limits  the  electro-catalyst,  with  present  technology,  to  platinum-group  metals. 


CHAPTER  THREE 


RELIABILITY-PREDICTION  MODEL 


3.1  SYSTEM  DEFINITIONS 

Each  of  the  contractors,  Engelhard  Industries  and  Pratt  and  Whitney  Aircraft,  is 
developing  a  1.5-kW  breadboard  power  plant  and  will  submit  a  design  for  a  1.5-kW 
Advanced  Development  Model.  Each  of  the  contractor’s  proposed  models  consists  of 
hydrogen-generation,  fuel-cell,  and  electronic-control  subsystems.  The  hydrogen-generation 
and  fuel-cell  subsystems  of  each  are  designed  to  accomplish  the  functions  described  in 
Chapter  Two.  The  electronic-control  subsystems  provide  power  regulation  as  well  as  control 
of  the  electrically  actuated  components  of  the  system. 

The  following  subsections  provide  a  brief  description  of  the  proposed  designs  of  each  of 
the  contractors. 

3.1.1  Engelhard  Industries  System 

Figure  3  is  a  schematic  of  the  proposed  ADM  design  from  Engelhard.  This  design 
incorporates  dual  fuel  pumps  that  are  alternately  cycled-on  electronically  to  provide  fuel  to 
the  reactors  (cracker  beds)  during  the  thermal-cracking  or  hydrogen-generation  phase.  They 
are  alternately  eyelid-off  during  the  bum-off  phase.  A  check-relief  valve  is  inserted  in  each 
fuel-supply  line  to  gdard  against  back  pressure  to  the  pump.  Air  is  cycled  alternately  to  the 
reactors  by  means  of  spring-loaded,  cam-actuated  valves.  A  cam  drive  train,  actuated  by  a 
slow-speed  motor,  actuates  the  air-inlet  valves,  the  bum-off  exhaust  valves,  and  the 
hydrogen-supply  valves.  The  cams  are  designed  to  provide  the  proper  sequencing  of:  (1)  fuel 
and  air  into  each  of  the  reactors,  (2)  bum-, off  effluent  to  the  three-way  valve,  and  (3) 
generated  hydrogen  to  the  fuel-cell  stack.  Thfe  three-way  valve  is  used  either  to  exhaust  the 
bum-off  effluent  to  the  atmosphere  or  to  divert  it  through  a  heat  exchanger  in  the  fuel-cell 
stack  to  bring  it  to  the  proper  operating  temperature. 

A  gas  trap  is  placed  in  the  hydrogen  stream  between  the  hydrogen-generation  and 
fuel-cell  subsystems  to  cleanse  the  hydrogen  of  any  methane,  lead,  or  sulfur  impurities. 

The  fuel-cell  stack  consists  of  approximately  60  phosphoric-acid  cells  that  are  cooled  by 
an  air-manifold  device.  The  temperature  of  the  stack  is  controlled  by  allowing  exhaust  gas  to 
be  diverted  through  the  heat  exchanger  as  described  above. 

Control  of  the  fuel  cell  is  provided  by  the  power  conditioner,  central  sequence  timer, 
fuel-cell  demand  detector,  and  other  circuits  as  shown  in  Figure  3. 

The  cell  is  started  up  initially  by  burning  fuel  in  both  reactors  and  venting  the  exhaust 
through  the  fUel-cell-stack  heat  exchanger.  Fuel  is  ignited  by  the  use  of  a  platinum-wire 
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igniter  in  the  reactor.  This  ignition  continues  until  the  cell  stack  reaches  its  operating 
temperature.  The  number  2  fuel  pump  is  then  shut  off  and  the  thermal  cracking  process  is 
started  in  the  number  1  reactor.  The  cell  is  then  operated  by  cycling  between  reactor 
number  1  and  reactor  number  2.  The  optimum  cycle  time  has  not  yet  been  determined. 
Start-up  power  for  the  igniters  and  pumps  is  provided  by  a  nickel-cadmium  secondary 
battery. 

3.1.2  Pratt  and  Whitney  Aircraft  System 

Figure  4  is  a  schematic  of  the  proposed  Pratt  and  Whitney  ADM  design.  This  design 
incorporates  a  single  fuel  pump  that  is  continuously  energized  during  system  operation. 
Cycling  between  crackers  is  accomplished  by  means  of  fuel  solenoid  valves  actuated  by  an 
electronic  control  unit.  Similarly,  air  is  cycled  into  the  crackers  during  the  purge  cycle  by 
means  of  solenoid  valves  that  are  actuated  by  an  electronic  control  unit.  A  diverter  valve  is 
positioned  downstream  to  divert  hydrogen  gas  into  the  fuel-cell  stack  and  the  bum-off 
effluent  into  the  fuel-cell-stack  heat  exchanger.  Fuel-cell  process  air  is  supplied  by  an  air 
blower.  The  fUel-cell  stack  is  equipped  with  a  recycle  control  system,  which  allows  the  air 
not  used  in  the  electrolytic  process  to  be  recycled,  thus  retaining  some  of  its  heat.  A  recycle 
control  valve  is  provided  to  open  the  exit-air  plenum  to  the  atmosphere  in  the  event  that  the 
recycle  air  is  too  hot 

A  hydrogen  vent  is  supplied  in  the  stack  to  exhaust  any  impurities  in  the  hydrogen  gas 
stream  that  will  not  react  electrochemically  in  the  cell.  This  vent  will  be  some  type  of  orifice 
or  valve. 

Electrical  control  is  supplied  by  a  voltage  regulator  (buck  regulator)  and  an  electronic 
control  unit  The  buck  regulator  regulates  the  dc  power  output  from  the  cell  to  a  constant 
voltage  and  supplies  parasitic  power  to  the  electrically  controlled  devices  in  the  system.  The 
electronic  control  unit  not  yet  designed,  provides  approximately  15  regulating  or  control 
functions. 

The  Pratt  and  Whitney  system  is  started  up  by  opening  up  both  fuel-cell  solenoid  valves 
and  burning  fuel  in  the  cracker  beds.  The  fuel  is  ignited  by  use  of  a  conventional  spark  plug 
actuated  by  an  exciter.  Battery  power  from  a  silver-zinc  secondary  battery  supplies  the 
start-up  power  to  energize  the  exciter  and  the  blowers. 


3.2  SYSTEM  MISSION 

The  mission  which  the  reliability  of  the  open-cycle  fuel-cell  system  is  predicted  is  a 
24-hour  system- operating  time,  including  start-up.  The  system  is  externally  connected  to  a 
fuel  supply,  which  is  not  part  of  the  reliability  prediction. 

3.3  ENVIRONMENTS 

There  is  little  operational  information  on  mechanical  or  electromechanical  equipment 
that  relates  environmental  effects  to  equipment  failure  rate.  Various  handbooks  provide 
data  from  which  environmental  effects  can  be  grossly  estimated  by  the  use  of  s  weighting 
factor.  The  three  environments  for  which  some  weighting  factors  are  available  are  described 
below. 
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3.3.1  Portable  Ground  Environment 

The  set  is  in  a  portable  condition,  not  rigidly  mounted  in  a  fixed  installation;  it  can  be 
moved  from  place  to  place  in  vehicles  traveling  over  unimproved  roads  and  can  be  loaded 
and  unloaded  manually. 

3.3.2  Tracked-Vehicle  Environment 

The  set  is  mounted  on  a  tracked  vehicle  capable  of  traveling  over  open  terrain.  The  set  is 
subject  to  severe  shock  and  vibration  in  transport.  It  will  normally  be  operated  while  the 
vehicle  is  not  moving,  although  operation  is  not  restricted  to  times  when  the  vehicle  is 
stationary. 

3.3.3  Laboratory  Environment  (Hypothetical  System  with  Idealized  Characteristics) 

The  laboratory  environment  was  used  to  meet  the  contract  requirement  to  develop  a 
prediction  for  a  hypothetical  system  with  idealized  characteristics.  It  is  assumed  that  the 
sets  are  functioning  in  a  laboratory,  with  skilled  personnel  operating  and  maintaining  the 
power  plants. 

3.4  FAILURE  DEFINITION 

The  failure  of  any  critical  component  that  prevents  the  Open-Cycle  Fuel-Cell  Power 
Plant  from  meeting  100-percant  power-output  capability  constitutes  system  failure.  A 
critical  component  is  any  item  or  part  whose  failure  would  preclude  successful  operation  of 
the  system  or  create  a  safety  hazard.  This  category  includes  the  components  required  for 
starting  the  system. 

3.5  RELIABILITY  ASSUMPTIONS 

In  predicting  the  reliability  of  the  two  power-plant  system  designs,  it  was  necessary  to 
make  certain  asusmptions  that  provided  the  basis  for  the  predictions.  These  assumptions, 
applied  to  both  contractor’s  systems,  are  as  follows: 

•  Once  the  system  has  exceeded  the  infant-mortality  period,  the  failure  rate  does  not 
change  during  the  life  of  the  system.  This  assumption  permits  using  the  exponential 
distribution  to  evaluate  system  reliability.  It  is  imprecise  to  make  this  assumption  in 
the  case  of  mechanical  components  because  such  components  generally  experience 
wear-out  and  fail  more  frequently  as  they  get  older.  Their  reliability  is  more  aptly 
characterized  by  the  normal  distribution.  In  using  the  exponential  distribution,  we 
assume  an  average  failure  rate,  which  might  be  higher  than  the  failure  rate  for  the 
time  period  for  which  the  reliability  is  computed.  An  assumption  is  necessary  here, 
however,  because  we  do  not  have  enough  data  or  experience  with  the  equipment’s 
performance  to  characterize  the  failure  distributions  precisely.  For  purposes  of 
comparing  the  two  designs,  this  assumption  is  adequate. 

*  For  complete  mission  success,  all  components  must  function  in  accordance  with  their 
specified  requirements,  without  degradation  or  failure,  for  the  prescribed  time  in  the 
mission.  This  assumption  does  not  consider  the  effects  of  any  scheduled  mainten¬ 
ance.  Maintenance  plans  have  not  yet  been  developed. 
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3.6  RELIABILITY  BLOCK  DIAGRAMS 


A  reliability  block  diagram  can  be  considered  a  logic  chart  that  depicts,  by  means  of  an 
arrangement  of  blocks  and  lines,  the  effect  of  failure  of  equipment  items  on  the  system’s 
functional  capability.  Items  whose  failure  causes  system  failure  are  shown  in  series  with 
other  items.  Items  whose  failure  causes  system  failure  only  when  some  other  item  has  also 
failed  are  shown  in  parallel  with  the  other  items. 

Neither  the  Engelhard  nor  the  Pratt  and  Whitney  system  incorporates  component 
redundancy.  Piece-part  redundancy  may  exist  in  some  of  the  electronic  components,  but 
reliability  values  were  developed  only  at  the  component  level.  Therefore,  the  reliability 
diagram  for  each  proposed  system  is  a  simple  series  arrangement  of  components.  If  we 
considered  a  degraded  mode  in  which  maximum  output  power  was  not  required,  the  cracker 
beds  could  be  considered  somewhat  redundant.  This  would  be  the  case  only  if  the  secondary 
battery  were  so  configured  into  the  system  as  to  provide  power  during  the  burn-out  cycle. 
Such  a  configuration  is  most  easily  made  in  the  Pratt  and  Whitney  system  since  sequencing 
is  accomplished  electrically  rather  than  mechanically,  as  it  is  in  the  Engelhard  system. 

The  basic  reliability  block  diagram  for  an  open-cycle  fuel-cell  power  plant  is  shown  in 
Figure  5. 
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Figure  5  RELIABILITY  BLOCK  DIAGRAM,  OPEN-CYCLE 
FUEL-CELL  POWER  PLANT 


Basically,  the  open-cycle  fuel-cell  power  plant  is  composed  of  three  primary 
subsystems : 

Hydrogen-Generation  Subsystem.  This  subsystem  is  made  up  of  all  the  components 
that  are  required  for  hydrogen  generation  or  fuel  cracking.  It  includes  all  tubing  to 
the  fuel-cell  stack,  which  carries  generated  hydrogen  or  hot  gases,  and  the 
components  required  for  start-up. 

•  Fuel-Cell  Subsystem.  This  subsystem  includes  all  those  components  involved  in  the 
process  of  electrochemically  combining  H,  and  0:  and  producing  electrical  power. 

-  Electronic  Control  Subsystem.  This  subsystem  includes  all  electronic  components 
used  either  to  regulate  fuel-cell  output  and  provide  parasitic  power  to  the  electrically 
actuated  components  or  to  provide  electrical  control  of  these  components.  It  also 
includes  the  battery  used  for  start-up. 
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Figures  6  and  7  are  the  reliability  block  diagrams  for  the  Engelhard  and  Pratt  and 
Whitney  systems,  respectively.  A  five-digit  code  is  assigned  to  each  block  in  the  diagrams  to 
uniquely  identify  each  component  in  each  subsystem.  This  facilitates  computer  processing 
of  the  data  and  makes  it  easier  to  add  or  eliminate  components  as  the  design  changes. 


3.7  RELIABILITY-PREDICTION  EQUATION 

The  reliability-prediction  equation  expresses  the  mathematical  relationships  between 
the  system  components  in  the  reliability  block  diagram,  showing  how  they  are  related  to 
overall  system  reliability. 

The  system  components  of  the  open-cycle  fuel-cell  power  plant  have  essentially  a  direct 
series  relationship.  The  computer  model  calculates  the  reliabilities  of  all  the  components 
individually.  The  elements  required  for  these  calculations  are  the  failure  distribution  of  each 
component  or  circuit,  the  component  operating  time  or  cycles,  and  whether  or  not  the 
component  is  a  redundant  element  in  the  overall  model.  These  data  are  inputted  into  the 
model  with  the  component’s  five-digit  identification  number  (see  Chapter  Seven). 


as 


The  series  model  for  either  system  composed  of  n  components  can  be  simply  expressed 

n 

Rs  -  7 r  R,(t)  -  R,  •  R2  •  R,  •  R„ 
j-1 


where 

Rs  -  system  reliability 

Rj(t)  -  reliability  of  the  ith  component  as  a  function  of  time  (t) 
t  ■  mission  time 


The  equations  for  calculating  the  reliabilities  of  three  distributions  for  any  single 
component  are  as  follows: 


Exponential 
Rj(t)  -  e"*** 
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The  computer  program  has  an  additional  option  for  including  a  value  of  reliability  for  a 
component  without  regard  to  its  failure  distribution. 

It  was  necessary  to  assume  an  exponential  distribution  of  failures  for  the  predictions  in 
this  study.  However,  during  prototype  testing  and  development  testing,  with  the  proper 
data-collection  techniques  and  sufficient  test  time,  it  will  be  possible  to  determine  the  true 
failure  distributions  for  each  component. 
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Figure  6.  RELIABILITY  DIAGRAM,  ENGELHARD  INDUSTRIES  OPEN-CYCLE 
FUEL-CELL  POWER  PLANT 
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Figure  6.  (continued) 
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Figure  7.  (continued) 
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CHAPTER  FOUR 


DATA  COLLECTION 


4.1  DEVELOPMENT  OF  EQUIPMENT  FAILURE  RATES 

Operational  data  for  the  fuel-cell  systems  being  developed  by  each  of  the  contractors 
were  not  available  for  this  study.  It  was  therefore  necessary  to  research  a  number  of 
failure-rate  date  sources  to  obtain  data  on  components  similar  to  those  of  the  fuel-cell 
systems.  The  primary  sources  used  were  Government  and  contractor  data  banks,  which  list 
failure  rates  for  a  variety  of  mechanical,  electrical,  and  electronic  components.  The  sources 
used  in  this  study  are  listed  in  Appendix  A. 

The  failure  rate  of  the  generic  component  from  each  source  that  was  found  to  describe 
best  die  nature  and  use  of  the  components  of  the  proposed  fuel-cell  systems  was  recorded. 
When  failure  rates  for  a  component  were  available  in  more  than  one  source,  the  sources  were 
compared  and  a  decision  was  made  concerning  which  was  most  representative. 

Failure-rate  estimates  were  also  obtained  from  manufacturers  of  all  of  the  commercially 
available  components  of  the  two  systems.  In  some  instances,  this  was  the  only  source  of 
data. 

Where  the  components  of  the  two  proposed  systems  were  similar  (e.g.,  fuel-cell  stack, 
blowers,  etc.),  the  same  failure  rate  was  used  for  both. 

The  failure  rates  tabulated  in  Tables  1  and  2  were  assumed  to  have  been  derived  under 
laboratory  or  zero-environmental-stress  conditions.  To  project  the  rate  of  failure  at  other 
than  laboratory  conditions,  modifying  or  K-factors  were  developed.  The  environmental- 
adjusting  factors  were  derived  by  using  the  information  given  in  the  various  failure-rate-data 
sources.  These  K-factors  adjust  the  failure  rates  to  the  anticipated  environment. 

In  Tables  1  and  2,  three  K-factors  are  listed.  They  correspond  to  the  environmental 
categories  listed  in  Chapter  Three: 

K1  —  Fixed  Ground 

Kj  —  Tracked  Vehicle 

Kj  —  Laboratory  (Hypothetical  System) 

The  same  set  of  adjusting  factors  was  used  for  all  mechanical  and  electromechanical 
component*.  A  different  set  of  adjusting  factors  was  used  for  the  electronic  and  electrical 
components.  The  data  source*  used  showed  that  these  two  classes  of  components  were 
affected  differently  by  environment. 
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Table  1.  COMPONENT  FAILURE  DATA,  ENGELHARD  FUEL-CELL  SYSTEM 


Fatturaa  Par 

~ 

Source  (an 
Appendix  A) 

Group 
Code  No. 

Component  Name 

MUUon 

lioun  or 

K. 

K. 

K, 

Duty 

Cycle 

Cyctaa  (ey) 

20101 

Fuel  Solenoid  Valve 

11.0 

1.4 

6 

1 

1 

R-ll 

20102 

Fuel  Pump  No.  1 

8.70 

1.4 

6 

1 

0.6 

R-ll 

20103 

Fuel  Pump  No.  2 

8.70 

1.4 

8 

1 

0.6 

R-U 

20104 

Check  Relief  Valve  No.  1 

0.08  cy 

1.4 

6 

1 

240  cy/day 

R-ll 

20106 

Check  Relief  Valve  No.  2 

0.08  cy 

1.4 

6 

1 

240  cy/day 

R-ll 

20106 

Inverter,  Reactor  Air 

21.00 

2.6 

3.5 

1 

1 

R-ll 

20107 

Blower,  Reactor  Air 

66.66 

1.4 

6 

1 

1 

Manufacture- 

20106 

Filter.  Reactor  Air 

0.66 

1.4 

6 

1 

1 

FARADA 

20109 

A ir-  Inlet  Valve  No.  1 

16.00 

1.4 

6 

1 

1 

R-ll 

20110 

Air-inlet  VaNe  No.  2 

16.00 

1.4 

6 

1 

1 

R-ll 

20111 

Reactor  No.  1 

0.2 

1.4 

6 

1 

0.5 

PAWA 

20112 

Reactor  No.  2 

0.2 

1.4 

s 

1 

0.6 

PAWA 

20113 

Igniter  No.  1 

0.02 

1.4 

6 

1 

10  MC. 

K-ll 

20114 

Igniter  No.  2 

0.02 

1.4 

6 

1 

10  aac. 

R-U 

20116 

Cam  Drive  Train 

0.40 

1.4 

6 

1 

1 

R-U 

20116 

Motor,  Cam  Drive 

9.36 

1.4 

6 

1 

1 

R-ll 

20117 

Automatic  3-Way  Valve 

47.3 

1.4 

6 

1 

1 

FARADA 

20118 

Methanator 

0.2 

1.4 

6 

1 

1 

PAWA 

20119 

Hj  Supply  Solenoid  No.  1 

50.0  cy 

1.4 

6 

1 

240  cy/day 

Manufacturer 

20120 

Hj  Supply  Solenoid  No.  2 

50.0  cy 

1.4 

6 

1 

240  cy/day 

Manufacturer 

20121 

Bum-Off  Valve  No.  1 

16.00 

1.4 

6 

1 

0.5 

R-ll 

20122 

Bum-Off  Valve  No.  2 

16.00 

1.4 

6 

1 

0.5 

R-ll 

20123 

Tubing 

0.20 

1.4 

6 

1 

1 

FARADA 

20201 

Cell  Stack 

6.00 

1.4 

6 

1 

1 

PAWA 

20202 

Heat  Exchanger 

6.00 

1.4 

6 

1 

1 

R-ll 

20203 

Blower.  Proceae  An 

19.00 

1.4 

6 

1 

1 

Manufacturer 

20204 

Inverter.  Proceee  Atr  Blower 

21.00 

1.4 

6 

1 

1 

R-ll 

20205 

Filter,  Pioceaa  Air 

0.56 

1.4 

6 

1 

1 

FARADA 

20301 

Centivl  Sequence  Timer 

• 

15 

3.5 

1 

1 

R-ll 

20302 

Motor.  Central  Sequence  Tuning 

9.36 

1.4 

6 

1 

1 

20303 

Fuel-Cell  Demand  Detector 

• 

2.5 

3.5 

1 

1 

20304 

Power  Conditioner  and  Control* 

228.31 

2.5 

3.5 

1.0 

1 

AR1NC  Retearch 
(AEG) 

20305 

Furl-Cell  Temperature  Control 

• 

2.5 

3.5 

1.0 

1 

20306 

Fuel  Cell  Cnder  Temperature 

• 

2.5 

3.5 

1.0 

1 

20307 

Battery 

500  cy** 

2  5 

3.5 

“ 

1  cy 

ARINC  Reerarch 

• -  ■ 

•Du  <M  naHette.  w.  Sertioa  «  l  »«  i*W;  uwum 
••tWM  a  romefeu  aa4  •  rriti^aiUm 


Tabkt.  COMPONENT  FAILURE  DATA,  PRATT  A  WHITNEY  AIRCRAFT  FUEL-CELL  SYSTEM 


Qmp 
Coda  No. 

Oompommt  Nat 

Pateaa  Par 
MflBoa 
Honor 
Cydm(ey) 

H 

K, 

B 

thrty 

Cycta 

Source  (aaa 
Appendix  A) 

10101 

rata,  Cnckm  Air 

0.66 

1.4 

6 

i 

1 

PARADA 

10103 

ImarUr,  Ctacka  Air  Blow 

21.00 

1.4 

6 

i 

1 

R-ll 

1010S 

Blow,  Cncka  Air 

19.00 

1.4 

6 

i 

1 

Manufacturer 

10104 

No.  1  Ah-Seiectoc  8olanoid  Vahra 

10.00 

1.4 

6 

i 

0.6 

Manufacturer 

10106 

No.  2  Air  Matador  Solenoid  Va ha 

10.00 

1.4 

6 

0.6 

Manufacturer 

10106 

Eicttar  No.  1 

16.70 

3.6 

3.6 

i 

10  aac. 

Mff  (MIL- 
8TD-766) 

10107 

Ifniter  No.  1 

276.00 

1.4 

6 

i 

10  aac. 

PARADA 

10103 

Exciter  No.  2 

16.70 

16 

3.6 

i 

10  aac. 

Mfg.  (Mile 
8TD-766) 

10100 

IfnHa  No.  2 

276.00 

1.4 

6 

i 

10  aac. 

PARADA 

10110 

No.  1  PuehSeiedor  Solanold  Vahra 

11.00 

1.4 

6 

i 

0.6 

R-ll 

10111 

No.  2  Fuat-Saifctor  8oier.otd  Vahra 

11.00 

1.4 

6 

i 

0.6 

R-ll 

10113 

No.  1  Fuel  Vaporuar 

0.02 

1.4 

6 

i 

16  min. 

R-ll 

10113 

No.  2  Fual  Vaporuar 

0.02 

1.4 

6 

16  min. 

R-ll 

10114 

Craeka  Bad  No.  1 

0.30 

1.4 

6 

i 

0.6 

PAWA 

10116 

Cracker  Bad  No.  2 

0.20 

1.4 

a 

i 

0.6 

PAWA 

10116 

Dnartar  Vahra 

47.3 

1.4 

6 

i 

1 

PARADA 

10117 

Dhrartar  Vahra  DrUa 

40.0  cy 

1.4 

6 

i 

240  cy/day 

Manufacturer 

10118 

Tubinf 

0.20 

1.4 

6 

i 

1 

FARADA 

10119 

Fud  Pump 

8.70 

1.4 

6 

i 

* 

10201 

Procaaa  Ah  POtar 

0.68 

1.4 

6 

i 

1 

FARADA 

10303 

Lnvartar.  Proraa  Ah 

21.00 

16 

3.6 

i 

1 

R-ll 

10303 

Blowar,  Procaaa  Ah 

88.88 

1.4 

6 

i 

1 

Manufacturer 

10304 

Hydrman  Coolar 

6.00 

1.4 

6 

i 

1 

R-ll 

10306 

Tranattkm  Ductm* 

o.si 

1.4 

6 

i 

1 

R-ll 

10306 

Prahratg 

5.00 

1.4 

6 

i 

1 

R-ll 

10307 

Ah-Inlet  Planum 

0.61 

1.4 

6 

i 

1 

R-ll 

10306 

Puai-CaU  Slack  Aaaambty 

6.00 

1.4 

6 

i 

1 

PAWA 

10300 

Ah-Exlt  Planum 

0  61 

1.4 

8 

i 

1 

R-ll 

10310 

Butterfly 

3.40 

1.4 

6 

i 

1 

R-ll 

10211 

Recycle  Control  Vahra 

10.00 

1.4 

6 

i 

1 

Manufacturer 

10113 

Recycle  Control  Dud 

0.61 

1.4 

8 

i 

1 

R-ll 

10313 

H,  Van! 

133 

1.4 

6 

i 

1 

FARADA 

10301 

Voltapr  Rafjktnr 

186.311 

16 

15 

1.0 

1 

Mf*  217A 

10302 

EMdrortc  Control  Unit 

460.00 

15 

15 

1.0 

1 

AEG  ffpmato 

10*03 

Senary 

60,000  cy* 

16 

■a 

1.0 

1 

ARlfiC  Reeaarcti 

■PI 

«Wt«.  -W»  -<  »  raw*. 

IKS 

There  arc  very  few  failure  data  on  mechanical  equipment  that  show  the  effects  of 
temperature  extremes  on  operating  life.  Temperature  effects  were  therefore  not  considered 
in  the  environmental  conditions. 

Tables  1  and  2  also  show  the  mission  duty  cycle  considered  for  each  component. 
Numerical  values  represent  the  ratio  of  component  operating  time  to  the  24-hour  mission 
time.  Times  or  cycles  indicate  the  amount  of  time  or  number  of  cycles  the  component  is 
expected  to  operate  during  1  24-hour  mission. 

4.2  DEVELOPMENT  OF  EQUIPMENT  MAINTENANCE  DATA 

Because  development  of  the  open-cycle  fuel-cell  power  plant  is  in  an  early  stage,  there 
are  no  available  data  for  estimating  system  maintainability.  For  the  purpose  of  this  study,  it 
was  thus  assumed  that  the  contractors  can  at  least  meet  the  goal  established  in  the  Purchase 
Descripf  on.  The  Purchase  Description  requires  that  the  system  have  a  mean  corrective- 
maintenance  time  of  three  man-hours.  It  is  assumed  that  corrective  maintenance  can  always 
be  accomplished  by  a  single  maintenance  man  and  that  the  mean  time  to  repair  (MTTR)  for 
the  open-cycle  fuel-cell  power  plant  is  ‘hree  hours. 

The  maintenance  policy  for  the  system  is  outlined  generally  in  the  Purchase 
Description,  which  requires  that  the  system  be  designed  to  facilitate  servicing  and 
maintenance.  All  components  that  require  periodic  servicing  as  a  matter  of  normal  routine 
maintenance  must  be  readily  accessible  without  removal  of  any  other  parts.  Routine- 
maintenance  components  include  filters,  methanators  or  gas  traps,  igniters  (spark  plugs  or 
ignition  wires),  gauges,  etc  The  location  of  high-failure-rate  parts  and  parts  that  require 
frequent  preventive  maintenance  must  be  such  as  to  minimize  the  time  and  effort  required 
to  perform  the  necessary  maintenance  action. 

Both  Engelhard  and  Pratt  and  Whitney  are  designing  their  systems  to  these 
requirements,  with  a  goal  of  easy  replacement  of  all  components.  Our  review  of  the 
proposed  designs  of  both  contractors  indicates  that  this  goal  can  be  met. 

With  regard  to  maintainability,  it  is  strongly  recommended  that  a  monitoring  system  be 
incorporated  that  will  permit  diagnoses  of  the  cause  of  system  failure.  In  the  failure  modes 
and  effects  analysis,  it  was  found  that  several  failure  modes  that  can  occur  in  any  of  the 
three  subsystems  would  result  in  system  shutdown  or  loss  of  power  output.  Without  some 
form  of  monitoring  device,  the  cause  cannot  always  be  determined  from  a  visual 
examination  of  the  set.  Therefore,  diagnostic  time  (and  hence  total  repair  time'  will  be 
excessive.  This  tends  to  decrease  system  availability  and  increase  the  spare-system 
requirements. 

The  recommended  monitoring  subsystem  should  be  developed  during  the  development 
of  the  ADM.  Its  design  shouid  be  based  on  the  monitoring  of  those  failure  modes  that  have 
the  highest  probability  of  causing  mission  failure.  For  example,  it  should  be  able  to  monitor 
the  power  conditioner  and  controls  of  the  Engelhard  system  or  the  electronic  control 
system  of  the  Pratt  and  Whitney  system  in  order  to  determine  readily  which  circuits  have 
failed. 
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CHAPTER  FIVE 


FAILURE  MODES  AND  EFFECTS  ANALYSIS 


5,1  ANALYSIS  METHOD 

The  Failure  Modes  and  Effects  Analysis  (FMEA)  is  a  systematic  examination  of  all 
components  of  the  system  to  identify  their  functions,  the  manner  in  which  they  might  fail, 
and  the  effects  of  failure  on  the  overall  system  in  relation  to  mission  performance  and 
personnel  safety. 

The  identification  of  problem  areas  can  lead  to  design  changes  that  will  improve 
reliabilPy  and  maintainability  and  produce  savings  for  the  entire  program.  With  the  results 
of  an  FMEA,  program  management  can  adjust  the  design  test  and  evaluation  programs  to 
provide  maximum  assurance  that  the  possibility  of  occurrence  of  critical  failures  has  been 
either  eliminated  or  reduced  to  an  insignificant  level. 

In  this  study,  a  Failure  Modes  and  Effects  Analysis  was  conducted  on  the  fuel-cell 
design  proposed  by  each  contractor  —  Engelhard  and  Pratt  and  Whitney.  These  analyses  are 
presented  in  Tables  3  and  4. 

The  following  elements  comprise  the  FMEA  format  used: 

•  Group  Code  Number  —  the  numbers  assigned  to  each  component  or  circuit  in  the 
reliability  block  diagrams  in  Section  3.6 

•  Description  of  Component/Assembly  —  the  nomenclature  of  the  components  or 
circuits  as  specified  by  each  manufacturer 

•  Function  —  the  general  description  of  each  FMEA  component’s  functioning  in  the 
system 

•  Failure  Mode  —  the  type  of  failure  judged  to  have  a  significant  probability 
of  occurring  during  a  mission 

•  Failure  Cause  —  the  most  probable  cause  of  the  failure 

•  Failure  Effect  —  the  effect  of  the  failure  on  the  system  and  the  mission 

•  Criticality  —  the  severity  of  each  failure  mode  and  its  related  failure  effect  on  a 
discrete  phase  of  the  mission: 

••  Critical  (C)  —  a  failure  that  is  judged  hazardous  to  personnel 

Major  (M)  —  a  failure  that  significantly  degrades  the  performance  of  the 
component  or  delays  its  function  such  that  it  may  not  complete  a  mission  or  a 
discrete  phase  thereof 
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Minor  (m)  —  a  failure  that  does  not  have  a  significant  effect  on  the  ability  of  the 
component  to  complete  the  discrete  phase  of  the  mission,  but  should  be 
repaired  eventually 

Action  Taken /Avoidance  Technique  —  the  action  to  be  taken  by  the  user  to  return 
the  set  to  operational  condition;  or  the  technique  that  can  be  used  during 
manufacture  to  eliminate,  or  minimize  the  effect  of,  the  failure  mode  or  to  make  the 
set  easier  to  repair  in  the  field 


5.2  GENERAL  CONCLUSIONS  AND  RECOMMENDATIONS  FROM  FMEA 

The  failure  mode  that  can  occur  most  frequently  for  both  the  Engelhard  and  Pratt  and 
Whitney  designs  is  leakage.  The  failure  effect  varies  according  to  the  location  and  severity  of 
the  leakage.  In  some  cases,  the  effect  would  be  minor.  In  any  event,  this  mode  can  occur  on 
most  of  the  components.  It  is  recommended,  therefore,  that  specifications  be  developed  for 
leakage  and  that  leak  tests  be  designed  accordingly.  As  a  minimum,  each  newly  built  system 
or  rebuilt  system  should  be  thoroughly  leak-tested  prior  to  use.  The  cause  of  any  detected 
leakage  above  the  specification  limits  should  be  determined  and  eliminated. 

In  the  design  of  the  ADM,  and  ultimately  the  production-model  fuel  cell,  serious 
consideration  should  be  given  to  the  logistics  implications  of  cost,  schedule,  availability, 
maintainability,  spares,  and  training  requirements.  For  example,  the  manufacturer  of  the 
blowers  for  both  the  fuel-cell  air  and  the  reactor  air  recommends  that  the  blower-motor 
bearings  not  be  stored  for  more  than  six  months  in  humid  climates  and  one  year  in  dry 
climates.  This  will  have  an  important  impact  on  spares-provisioning  and  replacement 
policies.  It  may  be  necessary,  for  example,  to  develop  some  sort  of  storage  container  for  the 
blowers  or  bearings,  or  both,  that  would  minimize  the  effects  of  long-term  storage.  This,  in 
turn,  would  add  to  the  total  system  cost.  Alternatively,  an  investigation  could  be  made  to 
determine  the  possibility  of  incorporating  a  blower  with  longer  bearing  shelf  life. 

In  the  design  of  the  production  model,  provisions  should  also  be  made  for  monitoring 
the  various  functional  elements  of  the  system  to  determine  their  operability.  There  is  little 
provision  for  such  monitoring  in  either  the  Engelhard  or  Pratt  and  Whitney  proposed 
designs.  Monitoring  is  necessary  for  efficient  troubleshooting  of  the  system  and  for  repair 
without  excessive  downtime.  The  monitoring  system  developed  should  be  compatible  with 
the  maintenance  philosophy.  Monitoring  of  field-replaceable  units,  for  example,  should  be  a 
prime  consideration. 


5.3  ENGELHARD  DESIGN  CONCLUSIONS  AND  RECOMMENDATIONS 

The  following  conclusions  and  recommendations  resulted  from  the  FMEA  of  the 
Engelhard  design: 

•  The  fuel  solenoid  valve  appears  to  serve  no  real  purpose  except  as  a  backup  check 
valve  to  the  fuel  pumps  and  the  check-relief  valves.  Failure  of  this  solenoid  to  open 
would  preclude  fuel-cell  operation.  (This  is  the  predominant  and  most  probable  mode 
since  the  valve  is  normally  closed.)  Failure  to  close  would  have  little  or  no  effect 
since  the  head  pressure  of  the  fuel  on  the  nonoperating  pump  would  be  too  slight  to 
be  of  any  consequence.  Therefore,  the  solenoid  should  be  eliminated.  A  manually 
operated  valve  could  be  substituted  to  provide  for  servicing  and  safety. 
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UU*  3  FA1LUBI  MODCS  AND  KFFSCTt  ANALYttS.  INGCLHAllD  INDUSTRICS  DKS1GN 


o t  Cow#  a — M/ 
AmMjt 


Check  Relief 
Valve  No.  1 


20105  Check  Relier 
Valve  No.  2 


20106  Inverter, 

Cracker  Air 
Blower 


Blower,  Re¬ 
actor  Air 


Filter.  Reactor 
Air 


Actio*  Take*/ 
Avoid— re  Technique 


Kdeootd -actuated 
open  to  allow 
fuel  flow  to  fuel 


Pumpe  fuel  into 
reactor  bed  1 


Pumpe  fuel  into 
reactor  bad  2 


Provides  protection  Open 
a— mat  revcne  flow 
of  fuel  or  exhaust 
to  fuel  pump  1 

Ooead 


Provider  protection  Open 
against  reverse  flow 
of  fuel  or  exhaust 
to  fuel  pump  2 

Closed 


Converts  dc  out¬ 
put  from  battery 
or  fuel  cell  to  ac 
input  to  air  blower 


Provide*  purge  air 
to  reactors 


Op—  drew*  due  to 


Fuel  cannot  be  defawad 
to  pump  and  hence  not 
tact  deterioration.  Into  reactor  Fuel -cell 
Short  circuit  due  to  operation  wilt  cease  or 
vibration  or  coetaai-  not  be  started. 


Dam  fid  valvs  spring, 
contamination 


Vibration,  poor  seal. 


Vibration  and/or 


improper  securing  of 
corse,  diaphragm 
rupture 


Vibration  and/or 
shock 


improper  securing  of 
com*,  diaphragm 
rupture 


Vibration  or  contami¬ 
nation  preventing 
valve  from  M-viing 


No  effect;  fuel  pump 
spring  closes  cup  valve, 
presenting  fuel  flow. 

Fuel  will  be  spilled,  caus¬ 
ing  fire  hazard. 


Pump  will  not  operate, 
and  fuel  will  not  be  de¬ 
livered  to  reactor  1. 

Fuel  will  be  spilled,  caus¬ 
ing  fir*  haaard.  May  re¬ 
sult  in  inaufficient  de¬ 
livery  of  fuel  to  pump. 


Pump  will  not  operate, 
and  fuel  will  not  be  de¬ 
livered  to  reactor  2. 

Fuel  will  be  spilled,  caus¬ 
ing  fir*  hazard.  May  re¬ 
sult  in  insufficient  de¬ 
livery  of  fuel  to  pump. 


None,  without  simultan¬ 
eous  failure  of  H,  sup¬ 
ply  solenoid  1  (dosed). 


Visually  check  for  i< 
to  operation. 


Check  (or  leakage  dunng  o|«rstion 
If  Uahfr  u  detected,  shut  down 
and  determine  and  rectify  cause. 


Check  for  leakage  dunng  operation. 
If  leakage  is  detected,  shut  down 
and  determine  and  rectify  cause. 


Contamination  or  Fuel  cannot  be  delivered  M 
damaged  spring,  pis-  to  reactor  1  (could  be 
venting  valve  bore  catastrophic  if  pressure 

openif  builds  up  high  enough. 


Vibration  or  contami¬ 
nation  preventing 
valve  from  sealing 

Contamination  or 
damaged  spring,  pre¬ 
venting  valve  from 
opening 

K'one,  without  simultan¬ 
eous  failure  of  H,  supply 
solenoid  2  (closed). 

Fuel  cannot  be  delivered 
to  reactor  2  (could  be 
catastrophic  ii  pressure 
builds  up  high  enough). 

m 

M 

Vibration  and/or 

Cracker  air  blower  will 

M 

shock,  causing 

not  operate  and  start-up 

breaking  or  shorting 

will  not  be  accomplish'd; 

of  wiring 

or  cracker  cannot  be 
purged. 

Contamination  by 

Cracker  air  blower  will 

M 

moisture,  poor  power 

not  operate  and  start-up 

regulation 

will  not  be  accompluned; 
or  cracker  cannot  be 
purged. 

Normally  closed; 
mechanically  actu¬ 
ated  to  allow 
purge  air  to  flow 
into  reactor  1 


Normally  closed; 
mechanically  actu¬ 
ated  to  allow 
purge  air  to  flow 
into  reactor  2 


Motor  failure 

Vibration,  shock,  etc., 
causing  open  or  short 
circuit 

Reactors  cannot  be 
purged. 

Bearing  failure 

Contamination,  wear, 
storage  deterioration 

Will  result  in  either  poor 
blower  operation  or  blow¬ 
er  shutdown;  resulting  in 
subsequent  system  shut¬ 
down. 

Clogged 

Ambient  dust  and 
dirt  particles 

Air  blower  operates  in¬ 
efficiently. 

Leaking 

Structural  failure, 
seal  failure 

Forge  air  is  contaminated. 

Open,  leak 

8pring  binding,  spring 
fatigue,  contamina¬ 
tion,  broken  shaft 
due  to  vibration  or 
sliock 

Fuel-cell  output  failure 
occurs  due  to  loss  of  H} 
flow  to  stack.  Open 
valve  will  preclude  pres¬ 
sure  build-up  required  to 
allow  H,  to  flow  to  stack. 

Closed 

Spring  binding 

— 

Reactor  1  cannot  be 
purged.  Drive  train 
could  be  damaged  if  bind¬ 
ing  (secludes  valve  opening 

Operation  mould  be  snut  down  and 
motor  replaced. 

Replace  blower  wnen  bearings  be¬ 
come  noisy.  Bearings  cannot  be 
replaced  or  greased.  Manuiacturer 
recommends  no  more  than  6  months’ 
storage  of  bearings. 


Visually  check  spring  integrity. 


Visually  check  spring  integrity. 


Visually  cneck  spring  integrity. 


Visually  check  spring  integrity. 


*C  ■  Critical.  M  -  Major,  m  • 
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(continued) 


TeW*  1  | 


UtMf 

Dmtytow 

' ‘V, 

Actio*  Taken/ 

Code  No 

<M  CufuMilJ 
AmmUt 

Puactsoa 

Pad***  Mode 

FaUur*  CauM 

Faihwe  Effect 

Avoidance  Technique 

20m 

Heart**  1 

Contaiai  catalyst 

Structural  facie**,  crack , 

Exeat ive  hbock  and/ 

Premire  will  drop,  and 

a 

Conduct  a  thorough  leak  test  on 

and  peuvida*  an- 

*#M  tadur* 

or  nfanlton 

H,  flow  may  bed*- 

reactor  prior  to  assembling  system. 

vtronmant  for 

paded  All  output  may 

Periodically  inspect  for  cracks  or  weld 

(lm! 

Breakdown  of  catalytt 

Inadequate  purging 

drop. 

Catalytic  action  u  de 

a 

anomalies. 

of  reactor,  thermal 

graded,  poeaibly  allowing 

cyclu* 

impure  H*  to  enter 
stack,  thus  limiting  stack 
life. 

20112 

Keartor  2 

Contain*  catalyst 

Structural  failure,  crack. 

Eiceawvs  auock  a ail 

Pressure  will  drop  and 

m 

Conduct  a  thorough  leak  test  on 

and  pruvides  an 

w*td  failure 

or  vibration 

H,  flow  may  be  de- 

reactor  prior  to  assembling  system. 

vvontnant  for 

graded  All  output  may 

Periodically  inspect  for  cracks  or  weld 

foci  cricking 

Breakdown  of  catalyst 

Inadequate  purging 

drop. 

Catalytic  action  M  de- 

m 

anomalies. 

of  reactor,  thermal 

Faded,  poeaibly  allowing 

cycUng 

impure  H,  to  enter 
•tack,  thus  limiting  stack 
life. 

20  U  3 

Igniter  1 

Provide*  energy 

Open,  break 

Vibration,  shock,  deg- 

fuel  cannot  be  ignited  in 

M 

1  platinum  Wtfei 

source  for  »Urt 

radation 

reactor  1.  thus  precluding 

up  ignition  tn 
reactor  1 

start-up. 

20114 

Igniter  2 

Provide*  energy 

Open,  break 

Vibration,  shock,  deg- 

Fuel  cannot  be  united  in 

M 

(PUt mam  Wire) 

source  for  start- 

radation 

reactor  2,  thus  precluding 

up  ignition  in 
reactor  2 

•tart -up 

20116 

Cam  Drive  Train 

Actuates  air-inlet 

Broken  or  bent  *luft 

Vibration  or  shock 

If  broken,  valve  actuation 

M 

Periodically  inspect  drive. 

valve*  and  bum- 

cannot  occur.  If  bent, 

off  outlet  valves 

valve  actuation  may  not 
occur  and  will  not  be  pro¬ 
perly  sequenced  if  actua¬ 
tion  does  occur. 

20116 

Motor.  Cum 

Actuated  by  ten- 

Open,  chort 

Vibration,  shock,  con- 

Motor  will  noi  operate  and 

M 

System  should  be  shut  down. 

Drive  Train 

tral  sequeme 

lamination 

valve*  will  not  be  actuated. 

timer  to  drive 

Svitera  will  not  function 

cam  drive  train 

Bearing  failure,  seizure 

Contamination,  corro- 

properly. 

Motor  may  not  operate 

M 

Periodically  inspect  motor  for  free- 

sion 

and  valves  will  not  be  ac- 

moving  sluft.  Replace  whenever 

tuated. 

bearings  are  noisy. 

Shaft  failure  or  seizure. 

Misalignment,  shock 

Motor  may  not  operate 

M 

bent 

properly.  Drive  tram 
may  not  be  actuated  pro¬ 
perty. 

20117 

Valve,  Automa- 

Motor-driven  to 

Open,  leak 

Spring  binding,  spring 

Valve  must  be  open  during 

m 

During  start-up,  cell  temperature 

tic  3  Way 

allow  for  diverting 

fatigue,  contamination. 

run  cycle;  therefore,  there 

should  be  monitored  to  determine  if  it 

burn-off  effluent 

shaft  break 

would  be  no  effect.  Dux- 

is  increasing  to  the  desired  level.  If  not. 

to  exhaust  or  to 

ing  the  » tart -up  cycle,  valve 

•hut  down  and  replace  or  repair  valve. 

fuel-cell  1  eat  ex 

should  be  closed  to  allow 

changer  Thermo 

heated  gases  to  flow 

twitch  on  fuel 

througn  stack  neat  ex 

cell  actuate*  mo- 

changer.  If  it  is  not,  stack 

lor 

Closed 

Snaft  or  spring  bind- 

will  not  reach  adequate 
temperature. 

Regardless  of  whether  it  ia 

C 

Meter  gas  pressure. 

mg 

in  the  start-up  or  run  cycle 
gas  pressure  will  be  built 

up. 

201  IK 

Melnanalor 

(Us  trap  for  clean*- 

Clogged 

Improper  servicing 

May  inhibit  flow  of  Hj 

m 

Witu  periodic  replacement,  this  failure 

ing  Hi  pi  supply 
of  any  methane, 
lead,  or  sulpuur 
prior  to  entering 
cell 

gas  to  stack. 

mode  should  not  occur. 

Leak 

Poor  weld,  damaged 

May  result  in  pressure 

m 

Conduct  leak  test  after  installing  new 

gasket  or  sealant 

drop,  and  Hj  flow  will 
be  degraded.  Cell  output 
may  drop 

methanator. 

20119 

Hi  Supply 

Normally  closed, 

Closed 

Open  circuit  due  to 

H,  gas  pressure  will  be 

C 

Monitor  pressure  and  tie  monitor  to 

Solenoid  Valve  l 

actuated  open  to 

wire  breakage  or  con- 

built  up  and  may  cauae 

shut-down  circuit. 

allow  H,  ga*  gen 

tact  deten oration. 

catastrophic  rupture  and 

crated  from  reactor 

Short  circuit  due  to 

possible  explosion. 

l  to  flaw  to  fuel 

vibration  or  contami- 

cell 

nation. 

Open 

Damaged  valve  iprmg, 

Burn-off  effluent  will  be 

M 

contamination 

vented  to  fuel  cell.  Cell 
may  be  poisoned  and 
electrical  output  will 
drop  Hi  pressure  will  be 
higher  Uian  burn-off  ex¬ 
haust,  therefore,  H,  will 
be  axnauated  out  3 -way 
valve.  Methanator  may 
be  burned  out  due  to  mix¬ 
ture  of  hot  exhaust  and 

Leak 

Improper  seal  caused 

fs  will  be  leaked  to 

C 

Conduct  leak  test  on  all  new  system 

by  vibration  or  im¬ 
proper  installation 

surrounding  environment 

builds  or  rebuild* 

imniinutdl 


TMfcJ  (fliiad) 

Group 
Co*  No. 

Deentptina 
at  f  napoo  sal/ 

tanur 

PlOKtMn 

rules  Mods 

FadwwCmsaa 

Fatlroe  Bflart 

CM* 

ea*ty« 

Aettoo  Taboo/ 

Avot*nne  IMdgH 

20303 

Fuel -Ceil  Dr 

Man d  Detector 

Monitors  call  vok- 

apt  at  last  cel)  and 

■Metrical  fatlurs 

Open  or  short  caused 
by  vtbnuoo,  and/or 
roatHm 

Fuat  pump  will  cewe 
operating,  and  call  will 

M 

to  mcraaaa  or  da 
******  depending 

on  volley  output 
from  call 

20304 

Power  Condi 
lunar  and  Con 
trots 

Regulate*  firel-cati 
output  power  and 
provides  peramtic 
power  for  fuel 
cot)  components 

Output  fash** 

Open,  short  inroad  by 
vibration  and/or  iboek. 

AH  control  function*  are 
lost,  thus  Begat*!  fuel 
cell  operations. 

3030* 

Ptol-Cfl!  Tem 
panture  Control 

Thermo  ewacb 
v  Kuril  controls  Iwo- 

ipoad  blower  to 
control  coM-etoch 
temperature 

Open,  Mart 

Vibration  rod /or  shock 

■owe*  wdl  not  operate, 
cal  wdl  aot  (Unction. 

y 

3030* 

Fuel-Call  Under - 
T— peratiwa  Con 
iroi 

Actuate#  eu ivw*. 
tic  3- way  vatee  to 
dream  bum -off 
•■baud  to  stack 
heat  eackanpar 
whan  tamparo- 
uue  drops  below 
prescribed  least 

Open,  short 

1 

# 

I 

I 

> 

_ 

Fuel-cell  output  wtf)  be 

***** 

m 

30307 

i 

NirkeUndmiuni 

No  output 

broken  atactrodos, 
cracks,  leak*  dim  to 
vtbratioa  and/or 
sbock 

Inadequate  recharg 
mg  control 

tyilem  cannot  be 

M 

Check  battery  output  prior  to  dart -up. 
Replace  battery  f  output  ■  aero. 

Provide  for  control  of  chargmg  currant. 

lery  road  to  sup¬ 
ply  startup 

Thermal  runaway 

Catastrophic  breakup  or 
rap  In  line  of  battery 
occur*. 

C 

_ 

'  Consideration  should  be  given  to  a  redesign  in  which  only  a  single  fuel  pump  is  used, 
with  a  two-way  solenoid  valve  for  directing  fuel  to  the  proper  reactor.  In  addition  to 
eliminating  a  pump  (which  is  susceptible  to  failure),  this  will  eliminate  the  two 
check-relief  valves.  In  the  current  design,  if  either  pump  fails,  the  system  will  fail,  and 
if  either  check-relief  valve  fails  to  open,  the  system  will  fail.  Thus  there  are  four 
chances  for  failure.  If  only  one  pump  and  one  two-way  solenoid  valve  were  used, 
there  would  be  two  less  chances  for  failure.  Additionally,  the  requirement  for  the 
check-relief  valves  is  questionable  because  the  fuel  pump  has  a  check  valve  that  can 
guard  against  any  back  pressure. 

5.4  PRATT  AND  WHITNEY  AIRCRAFT  DESIGN  CONCLUSIONS  AND  RECOMMEN¬ 
DATIONS 

The  use  of  a  silver-zinc  secondary  battery  in  the  Pratt  and  Whitney  design  should  be 
reconsidered.  While  a  silver-zinc  battery  is  smaller  and  lighter  than  a  nickel-cadmium 
battery,  it  has  two  serious  drawbacks  for  the  application  intended.  First,  it  is  much  more 
susceptible  to  thermal  runaway  than  a  nickel-cadmium  battery.  Thermal  runaway  results 
from  uncontrolled  charging  and  manifests  itself  ultimately  in  a  catastrophic  breakup  of  the 
battery,  causing  a  hazardous  environment  for  personnel.  Secondly,  a  silver-zinc  battery  is 
much  less  reliable  than  a  nickel  cadmium  battery. 

It  is  recommended,  therefore,  that  Pratt  and  Whitney  Aircraft  consider  using  a 
nickel-cadmium  secondary  battery  in  place  of  the  planned  silver-zinc  secondary  battery. 
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Ttbk  4.  FAILURE  MODES  AND  EFFECTS  ANALYSIS,  MUTT  k  WHITNEY  AIRCRAFT  DESIGN 


10101  Fiber,  Cracker  FUtme  purp  air 
Aft 


10103  Inverter,  Checker  Converts  Sc  out- 
Ak  Blow  put  (mm  bottary 

or  fuel  coil  to  ac 
input  to  air  blow 


Mow,  Oackar  ]  Providaa  purge  air 
Air  {  to  aaekat 


10104  Ak  (doctor  Solo-  Normally  c 
no  id  Vsh*  No.  1  enargtasd  a 


10106  Ak  Saiaetor  Sole- 
ooid  Valva  No.  3 


Failure  Cause 

Failure  Effect 

Ambient  duet  and 
dkt  particles 

Structural  failure, 
seal  failure 

Ak  Mower  operates 
inefficiently. 

Purge  ak  b  contami¬ 
nated. 

Vibration  and/or 


Oackar  air  Mow  will 


•hock,  causing  brack  -  not  opnU  and  itart- 
inf  or  shorting  of  up  will  not  ba  accom- 
wiring  pUatod;  or  crackar  can¬ 

not  to  pwfad. 

Contamination  by  Qractor  ak  blow*  «U1 
moktura,  poor  powar  not  oparata  and  rtart- 
rafulation  up  will  not  to  aocom- 

ptobsd;  or  crackar  can¬ 
not  to  purged. 

Vibration  and/or  Oackar  bad*  cannot  to 

abock,  causing  opan  or  puvgto. 
abort  circuit 

Contamination,  warn,  Will  result  in  atttor  poor 
storage  datarioration  Mow  opaaation  or  Mow- 
ar  shutdown,  raaultiaf  in 


cauaad  by  erceeeive 
vibration  and/or 


failure  dua  to  abock 
and/or  vibration  or 
datarioration;  spring 


Ak  will  to  mixed  with 
furl  in  crackar  bad  1  dur¬ 
ing  aaekini  cycle,  raault- 
ing  in  burning,  which 
would  not  yield  H«  M» 
Fuel  back- mixing  into  in¬ 
to  ak.  tiystem  will  to 
•but  down. 

Oaetortod  1  cmnoi  to 
purpad,  resulting  in  ulti¬ 
mate  breakdown  of  cate- 


Vibration  and/or  May  degrade  flow  of  pro- 

shock,  causing  aval  or  caaa  ak  to  arackar  during 
ooonactioo  damage  purge  cyde.  May  also 

allow  H,  pm  panaratad  in 


Dangsd  waive  spring  Ak  will  to  mixed  with 
enured  by  ticeakve  fuel  in  cracker  bad  2  due 

vibration  and/or  Lng  cracking  cycla,  rerun 

•hock  tag  in  burning,  which 

would  not  yMd  K,  pa. 
Electrical  connection  Oackar  tod  3  cannot  to 

failie*  dua  to  shock  ptepad.  resulting  in  uhi 

and/or  vibration  c*  mate  breakdown  of  cata- 


May  dtpadi  Dow  oi  pro- 
oaas  air  to  a acker  dur¬ 
ing  purge  cyd*  Hay 
abo  allow  H,  gas  ganwe- 
led  in  oackar  to  leak  in¬ 
to  atmosphere  . 

Ignito  will  not  to  ener- 
gUed,  and  syaUw  cannot 


Iptaer  will  not  function. 


Action  Taken/ 
Avoidance  Technique 


PartoUically  replace  filler.  Replace 
frequently  in  dusty  environments. 
Periodically  replace  filter. 

Replace  inverter. 


A  sensing  circuit  should  to  incorporated 
to  provide  shutdown  of  system  when 
motor  fails. 

Replace  Mower  whan  bearings  become 
noisy  Baarinp  cannot  to  replaced  or 
peaaad.  Manufacturer  recommends  no 
more  than  6  months'  storage  of  baarinp. 


Conduct  leak  teut  on  all  new  units  or 
newly  rebuilt  units. 


hnodscatty  replace  spark  plug 


Iptaer  w*  awl  hsaruoat.  |  M  Repiarv  plug 

and  system  means  he 

started 

Igniter  wtS  not  hmettna.  I  M  Nimdwall)  rvpbte  uart 


Ttbk  4.  (< 


Group 
Cods  No. 


at  Coaapoasnt/ 


Crtti- 

eaMiy* 


Aettoa  Taken/ 


Fuel  Selector 
Solenoid  Valve 
No  1 


Fuel  Selector 
Solenoid  Valve 
No  2 


Fuel  Vapneuer 
No  1 


Furl  Vaporiser 
No  2 


10111  :  lYx  k«r  Bed 

;  No  1 


10115  |  CYncker  Bed 
[  No  2 


Diverter  Valve 


10117  V*lw 

1>iw 


tout  r 

101  In  [  Fuei  f\uni- 


WMf  tv-,*.. 

till** 


Normally  cloMd, 
actuated  open  to 
allow  fuel  co  b« 
[run pad  aito  crack- 


Opan 


•r  t 


i  1 


Barnard  valve  spring 
caused  by  exceed  ve 
vibration  and/or 
■bock 

Electrical  failure  due 
to  open  or  abort  dr- 
cult,  precluding  aoW- 
notd  operation 
Vibration  and/or 
•hock,  no  proper  seal 


Normally  closed, 
situated  opan  to 
allow  furl  to  ba 
pumped  into  crack- 
er  bad  2 


Opan 


Opan,  brokan 


Opan.  brokan 


Electrical  rwatmg 
coil  uaad  to  vapor 
iir  fuel  aa  it  enters 
cracker  bad  I 

Ktrctncai  baa  in | 
coil  uaad  to  vapor 
lie  fual  aa  it  enters 
cracker  bad  2 


Con  Lain*  catalyst  .  Structural  failura,  crack, 
and  provide*  an  1  wald  failura 

vtronmmt  for  fual  I 

.T*c*-"«  I  IMdi>n  of  cauly* 


cauaad  by  excessive 
vibration  and /or 
•bock 

Electrical  failura  dua 
to  opan  or  abort  cir¬ 
cuit,  pracludini  sole- 
noid  opantion 
Vibration  and/or 

■bock,  an  pro  par  aaaj 


Vibration  and/or 
•bock 


Vibration  and/or 
•bock 


Excaaaiva  shock  and/ 
or  vibration 


Inadaquata  purfinf  of 


to  fual 
pump  dua  to  chanca  of 
burn-off  axhauat  back- 
Inf  up  to  pump. 

Crack ar  bad  numbar  1 
cannot  fanarata  bydro- 


Fual  could  ba  aptllad  in 
surrounding  anvtron- 
aant,  causbig  An  ha* 

md. 

There  ■  a  pomiblUty  of 
dimaft  to  fual  pump 
dua  to  chanca  of  btwn- 
off  exhauet  backtnf  up 
to  pump. 

Ckackar  bad  numbar  2 
cannot  fanarata  hydro- 


Fual  could  ba  aptllad  in 
•urroundlng  environ 
mant,  causing  fin  has- 


Thar*  abould  ba  aoma  provision  mada  for 
monitoring  Uita  vain  and  abutting  tiown 
the  ayatam. 

System  abould  ba  completely  laak-taatad 
whan  naw  and  aftar  every  ra build. 


Soma  proviaion  abould  be  made  for  moni¬ 
toring  this  valve  and  abutting  down  the 


8yatem  abould  ba  completely  laak-taatad 
whan  naw  and  after  every  rebuild. 


Contain*  catalyst 
and  prove*  je  en- 
vvonmen  for  furl 
■  racking 


rhraa  way  wdva  for  i  Lank 
diverting  bum -off 
•ibeuM  to  eahauat.  j 
furl -call  stack  ur  j 
fuel  cell  preheater 
K Wet nc  actuator 
driven 


Structural  failura,  crack, 
wald  failura 


'  Ibvakdown  of  catalyst 


Hr>tr*  ai  actuator.  | 
energised  by  »he 
rk.ir.ni.  control  | 
unit  li>  tu.il*  dl 
ndff  v*lv« 


\U-»wt  m* 
Vwugti  «>stem 

r^**U>*  fuel  *»!»» 

>ra»ar«  bad* 


r.l(er«  ut.tiHIVg 


Kievtncai  failure 


Meinemomi  failure 


lest.  rupTitfe.  < 
Short ,  open 


Excessive  shock  and  / 
or  vibration 


inadequate  purging  of 
reactor 


Partickea  between 
boron-nitrate  rotor 
and  valve  surface 

Corrowon.  banding, 
tpnng  failure 


Open  o*  ihct  cartel 
cauesd  by  escaesive 
shock  and  or  vibra¬ 
tion.  poor  etectrveal 
connection 


('onlaminebun  m 
gear*,  owehaating . 
itustng  lubnraliun 
breakdown 


Fuel  will  not  be  vapor- 
dad  Effect  not  deter¬ 
mined. 

Fuel  will  not  ba  vapor¬ 
ised.  Effect  not  deter¬ 
mined. 

Pressure  will  drop,  and 
H,  flow  may  be  de¬ 
graded 

QiUlytic  action  »  de¬ 
graded  ,  poanbiy  allow¬ 
ing  impure  H,  to  enter 
stack,  thus  limiting 
stack  Ufa. 

Pressure  will  drop,  and 
H,  flow  may  ba  de¬ 


lta* 

known 


Un¬ 

known 


Conduct  a  thorough  leak  test  on  reactor 
prior  to  assembling  system.  Periodically 
Inspect  for  cracks  or  weld  anomalies. 


Conduct  a  thorough  leak  test  on  rsactor 
prior  to  aasembimg  system.  Periodically 
inspect  for  cracks  or  wald  anomabar 


Vibration.  *bork,  poor 


Catalytic  action  w  de- 
graded.  poswbly  allow- 
mg  impure  H,  to  enter 
stack,  tnua  limiting 
■tack  lire 

There  »  a  posmbdity  of 
a  reduction  m  the  flow 
or  heating  aw  to  the  cell 

stack 

Valve  will  be  stuck  m  one 
position,  negating  ability 
to  control  fuel-cell  tem¬ 
perature 

Ability  lo  actuate  diverter 
valve  will  be  precluded, 
with  possible  reduction  n 
call  output  due  lo  either 
too  much  or  not  enough 
bam  Slack  enU  not  get 
fuel  when  required 
Ability  to  actuate  diverter 
valve  will  be  precluded, 
with  pesmbte  reduction  in 
i  ell  output  due  lo  either 
too  much  or  not  enough 
heal  Sterk  will  not  get 
fuel  when  required 
H, .  fuel,  ur  aw  treasure 
wiU  drop 

Pump  wdl  not  operate. 


Replace  vale* 


Condect  teak  tew  on  enure  system  after 


CMtfat  periodic  elnrtftasl  rtnki  Re¬ 


am.  fruity  weeds,  dm 


Fuel  wdl  he  spatted,  vsus 
mg  fwe  ha  sard  May  re 


Lmeh»* 


beery  ai  fuel  lo  pump 
me/ ft 


Chock  for  Was  apt  during  open**®"  If 
Wehigs  w  detected,  shut  down  add  d» 
unman  and  iwrtt/y  mm 

ft  ovate  foe  »  winter  nptwvwenS  of  filter 


dat  part*  in 

ten*  i  -e si  fadurv.  aval 

fwhwu  due  to  shock 


cwntiy 

There  n  s  pnmihihty  of 
of  pro 


•eQ  eat 


CHAPTER  SIX 


RELIABILITY  AND  AVAILABILITY  PREDICTIONS 


6.1  RELIABILITY  PREDICTIONS 

Predictions  were  made  of  the  reliabilities  of  the  Engelhard  and  Pratt  and  Whitney 
proposed  open-cycle  fuel-cell  system  design.  These  predictions  used  the  reliability  model 
and  procedure  described  in  Chapter  Three  and  the  data  presented  in  Chapter  Four.  The 
computer  program  used  for  the  calculations  is  described  in  Chapter  Seven. 

The  predictions  are  based  on  the  information  currently  available  on  both  the  design  of 
the  systems  and  the  failure  rates  of  their  components.  They  provide  a  fair  basis  for 
comparison  between  the  two  contractors’  systems.  Because  of  the  incompleteness  of  the 
data  as  outlined  in  Chapter  Four  and  because  of  the  relatively  early  design  stage  of  the 
open-cycle  fuel-cell  power  plant,  the  reliability  figures  should  be  used  only  to  compare  the 
two  competing  designs  and  not  to  compare  the  fuel-cell  technology  with  another 
power-plant  technology  without  careful  consideration  of  the  state  of  development  of  each. 

Table  5  presents  the  results  of  the  reliability  prediction  conducted  for  each 
manufacturer’s  design  under  the  environmental  conditions  discussed  in  Section  3.3.  Methods 
are  not  available  for  establishing  confidence  levels  on  predicted  reliability  values.  Therefore, 
confidence  levels  are  not  presented  in  this  report. 


Table  5.  PREDICTED  RELIABILITY*  OF  OPEN- 
CYCLE  FUEL-CELL  SYSTEMS 

Environment 

Engelhard 

Design 

i 

Pratt  A  Whitney 
Design 

Laboratory 

.9540 

.9130 

Portable  Ground 

.9185 

.8189 

Tracked  Vehicle 

.7870 

.6828 

•Probability  of  completing  24-hour  operation  without  failure. 

As  expected,  the  more  severe  the  environ  men  Uil  conditions,  the  lower  the  reliability.  In 
both  manufacturers'  designs,  the  limiting  factors  in  the  reliability  computations  were  the 
electronic  components,  for  which  very  little  information  was  available  on  design,  stress 
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it'vols,  functions,  etc.  The  estimates  of  their  failure  rates,  therefore,  were  extremely  gross. 
For  example,  the  Electronic  Control  Unit  in  the  Pratt  and  Whitney  system  is  not  yet 
designed,  and  its  failure  rate  was  estimated  on  the  basis  of  the  projected  number  of  active 
element  groups  to  be  incorporated  in  its  design.  Several  of  the  electronic  devices  in  the 
Engelhard  system  have  not  yet  been  designed,  and  a  description  of  their  functions  is  not 
available.  Therefore,  it  was  assumed  that  the  failure  rate  for  these  devices  was  equivalent  to 
that  estimated  for  the  P&WA  Electronic  Control  Unit. 

As  discussed  in  Section  5.4,  the  use  of  a  silver-zinc  battery  by  Pratt  and  Whitney  results 
in  a  redu  'ed  reliability .  To  quantify  the  reduction  in  reliability,  computations  were  made 
for  the  P&WA  system  with  a  nickel-cadmium  battery  substituted  for  a  silver-zinc  battery. 
The  results  were  as  follows: 

^Laboratory  =  -9593 
^Portable  Ground  ~  -9268 
^■Tracked  =  -8120 

Comparing  these  values  with  the  values  shown  in  Table  5  provides  an  indication  of  the 
reliability  penalty  bc;ng  paid  by  P&WA  v.  ith  the  silver-zinc  battery. 

6.2  AVAILABILITY  PREDICTIONS 

Inherent  availability,  a  function  of  active  operating  and  repair  time,  is  the  probability 
that  the  system  will  operate  satisfactorily  when  called  upon.  Mathematically,  it  can  be 
defined  as  follows: 


_ MTBF 

MTRF  +  MTTR 


where 


Aj  -  Inherent  Availability 

MTBF  =  Mean  Time  Between  FJiure'  i  ,-s) 

MTTR  =  Mean  Time  To  Repair  (Hoursj 


Estimates  of  Mean  Time  To  Repair  for  the  proposed  open-cycle  fuel-cell  system  designs 
were  not  available  for  this  study.  The  Purchase  Description  establishes  a  Mean  Corrective 
Maintenance  Time  goal  of  three  man-hours.  If  it  is  assumed  that  corrective  maintenance  can 
be  accomplished  in  all  cases  by  a  single  maintenance  man  and  that  Mean  Corrective 
Maintenance  Time  is  equivalent  to  Mean  Time  To  Repair,  then  the  inherent  availabilities  of 
the  two  designs  can  be  estimated  as  follows  (laboratory  environment  only  and  assuming  that 
the  maintenance  goal  of  three  hours  can  be  met): 


Contractor 

MTBF 

MTTR 

Engelhard 

.9941 

509.55 

3 

Pratt  &  Whitney 

.9837 

263.73 

3 

36 


CHAPTER  SEVEN 


COMPUTER  PROGRAM 


The  computer  program  was  developed  on  a  time-sharing  system  with  basic  FORTRAN 
used  as  the  language.  This  made  the  program  suitable  for  use  on  USAMERDC’s  COMSHARE 
time-sharing  system  with  their  preferred  XTRAN  language. 

The  program,  described  and  illustrated  in  Appendix  B,  is  designed  to  assess  the 
reliability  of  a  simple  series  system.  It  can  assess  individual  component  redundancy  when 
the  appropriate  inputs  are  provided  for  the  redundant  elements.  Four  reliability  or  failure 
distributions  can  be  manipulated  in  the  program:  the  exponential,  normal,  and  lognormal 
distributions,  and  probability.  It  is  not  necessary  for  all  components  to  have  the  same 
distribution,  but  one  component  cannot  have  two  failure  distributions  at  one  time.  The 
three  individual  K-factors  can  be  applied  to  the  single  component  failure  rate  to  account  for 
different  system  environments. 

Appendix  B  also  presents  detailed  instructions  for  exercising  the  program  on  a 
time-sharing  computer  terminal. 
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APPENDIX  A 


SOURCES  OF  FAILURE-RATE  DATA 


APOLLO  Reliability  Prediction,  Estimation,  and  Evaluation  Guidelines,  National 
Aeronautics  and  Space  Administration,  December  1963.  (R-ll) 

RADC-TR-114,  Volumes  I,  II,  and  III,  Data  Collection  for  Nonelectronic  Reliability 
Handbook,  Rome  Air  Development  Center,  Air  Force  Systems  Command,  Griffiss  Air  Force 
Base,  New  York,  June  1968. 

Failure  Information  Notebook,  Special  Technical  Report  No.  32,  ARINC  Research 
Corporation,  December  31,  1965. 

Mechanical  Design  and  System  Handbook,  Harold  A.  Rothbart,  McGraw-Hill  Book 
Company,  New  York,  1964. 

MIL-HDBK-217A,  Reliability  Stress  and  Failure  Rate  Data  for  Electronic  Equipment, 
Department  of  Defense,  1  December  1965. 

Army,  Navy,  Air  Force  and  NASA  FARADA  Failure  Rate  Data  Program,  Volumes  1,  2, 
3,  and  4,  Naval  Fleet  Missile  Systems  Analysis  and  Evaluations  Group,  Corona,  California. 
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APPENDIX  B 


COMPUTER-PROGRAM  FLOW  CHART  AND  INSTRUCTIONS  FOR  USE 


FLOW  CHART 

The  flow  chart  for  the  computer  program  is  presented  in  Figure  B— 1. 


INSTRUCTIONS  FOR  USE  ON  TIME-SHARING  COMPUTER  TERMINAL 

The  steps  described  herein  must  be  strictly  adhered  to  for  the  program  to  function 
properly. 

When  a  link  with  the  time-sharing  system  is  established,  the  first  symbol  seen  after 
“Run”  is  typed  as  an  equal  (=)  sign.  After  the  equal  sign,  type  the  number  of  components 
(Nl)  in  the  Pratt  and  Whitney  system  and  the  sum  of  the  components  in  the  Pratt  and 
Whitney  system  and  the  Engelhard  system  (N2).  Each  of  these  variables  is  allocated  two 
places,  and  the  data  must  be  right-justified. 

A  second  equal  sign  will  then  appear,  and  the  operate  time  must  be  typed.  The  time  is 
allocated  five  places;  it  must  be  typed  with  a  decimal  place  and  in  such  a  way  that  none  of 
the  five-digit  fields  overlap. 

The  third  and  last  equal  sign  will  appear,  and  the  K-factor  codes  (1  to  3)  must  then  be 
punched,  followed  by  a  “1”  or  “2”,  indicating  that  the  calculations  are  to  be  made  for  the 
Pratt  and  Whitney  system  or  the  Engelhard  system,  respectively.  These  K  factors  are  used  to 
adjust  the  failure  rate  and  mean  values.  There  must  be  a  K  factor  for  each  run;  the  K  factor 
and  the  system  code  are  each  allocated  two  places,  and  the  data  must  be  right-justified.  This 
ends  the  data  entry  at  the  keyboard  at  the  time  of  execution. 

The  failure  rates,  means,  accrued  operating  time,  and  K-factors  and  duty  cycles  are 
stored  as  a  file  and  called  “YRDATA.” 

When  the  data  are  prepunched,  the  following  format  is  used,  where  one  line  represents 
one  component: 

•  Columns  1-5  contain  a  line  number  code.  This  is  not  used  by  the  model  program  but 
is  used  to  edit  and  update  data  entries. 

•  Column  8  contains  a  “1”  if  the  component  is  in  series  and  a  “2”  if  it  is  in  parallel. 

•  Column  11  contains  a  “1”  if  the  component  failure  rate  is  in  failures  per  106  hours, 
and  a  “2”  if  the  component  failure  rate  is  in  failures  per  106  cycles. 

•  Column  14  contains  the  distribution  codes: 
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ystem  Reliability  End 

System  Reliability  ►  of 


1  =  exponential 

2  =  normal 

3  =  lognormal 

4  =  probability  of  success 

•  Columns  15-21  contain  the  exponential  failure  rate  X  106,  or  the  mean  time  to 
failure  (normal  or  lognormal),  or  the  probability  of  the  component’s  success. 

•  Columns  22-28  contain  the  standard  deviation  (normal  or  lognormal)  or  are  set  to  0. 

•  Columns  29-35  contain  the  time  the  component  has  already  operated  if  normal  or 
lognormal  is  used;  otherwise,  they  are  set  to  0. 

•  Columns  36-42  contain  K  factor  number  1. 

•  Columns  43-49  contain  K  factor  number  2. 

'  Columns  50-56  contain  K  factor  number  3. 

•  Columns  57-63  contain  the  duty  cycle  if  Column  11  is  “1”  and  the  number  of  cycles 
of  operation  in  24  hours  if  Column  11  is  a  “2”. 

Note  1:  The  last  seven  fields  must  be  punched  with  a  decimal  point,  and  no  fields  may 
overlap. 

Note  2:  The  values  associated  with  lognormally  distributed  variables  must  be  in  terms  of 
natural  logarithms. 

The  prediction  program  is  shown  in  Figure  B— 2. 


10  DIMENSION  ISP  <7  5.*  2)*  1 DST  <75)#VAR(75#7)#T(1)#IN(75. 
18  FILENAME  YRDATA 
20  35  READ  1#N1#N2 

30  1  F0RMAT(2I2> 

40  IFCNl)  36*  36#  37 
50  36  STOP 

60  37  READ  2,T<1) 

70  2  FORMAT <F5»0) 

80  BEGIN  FILE  "YRDATA" 

90  READ ("YRDATA"#  4)  < IN < I ) # I SP< I# I ) # I SPC I# 2># IDST ( I ) # 
914  (VARd#  J)#  J*  1#7)#  I*  1,N2> 

100  4  FORMATdS,  313#  7F7.2) 

104  READ  1 #  K#  M 

110  PRINT : "SYSTEM  RELIABILITY  AND  OPERATE  TIME" 

120  P*1.0 

130  J= 1 

150  IF(M-l)  17# 17,  18 

160  17  IB*1 

170  1E*N1 

180  GO  TO  19 

190  18  IB*N  !♦  1 

200  IE«N2 

210  19  DO  200  Is I B# IE 

212  IF(ISP< I#  2)- 1 >  31#  31#  32 
214  31  TIME»T <J)*VAR< I#  7) 

216  GO  TO  33 

218  32  TIME*VAR( 1,7) 

220  33  I J*K*3 

230  1 1* IDST ( I ) 

240  GO  TO  <21# 22, 22# 24)# 1 1 

250  21  XM*VAR(I# 1 )/ 1 000000. 0*V ARC  I# IJ> 

260  PRO* (EXPC-XM#TIME> ) 

270  GO  TO  20 

280  22  XM*VAR(I# 1 )*VAR(I# IJ> 

290  TIME*TIME*VAR< I#  3) 

300  IFCII-2)  25,25,23 

310  25  Y*(TIME-XM)/VAR(I# J) 

320  GO  TO  26 

330  23  Y*(AL0G(TIME)-XM>/VAR(I,2) 

340  26  PR0sO.5*(l.O>(l.O-EXP(-O.63662*Y*Y)>**O.5) 

350  IF ( Y )  20,20,28 
360  28  PRO* 1 • O-PRO 

380  GO  TO  20 

390  24  PROsVARd#  1  ) 

395  20  IFdSPd#l>‘t>  27,27,29 

397  27  P«P*PR0 

400  GO  TO  200 

403  29  P*P*(2.O*PRO-PR0*PR0) 

405  200  CONTINUE 

410  PRINT  9,P,T(J) 

420  9  F  0  RM  AT  (  2E  1 5  •  8  > 

470  GO  TO  35 
480  END 


Figure  B-  2.  PREDICTION  PROGRAM 


